An information security manager has been asked to develop a change control process. What is the FIRST thing the information security manager should do?

• A.Research best practices
• B.Meet with stakeholders
• C.Establish change control procedures
• D.Identify critical systems

Comment: *

Name: *

Email: *

Verification: *

Which of the following is the BEST method for ensuring that security procedures and guidelines are known and understood?

• A.Periodic focus group meetings
• B.Periodic compliance reviews
• C.Computer-based certification training (CBT)
• D.Employee's signed acknowledgement

Comment: *

Name: *

Email: *

Verification: *

An organization has experienced multiple instances of privileged users misusing their access Which of the following processes would be MOST helpful in identifying such violations?

• A.Log review
• B.Security assessment
• C.Review of access controls
• D.Policy exception review

Comment: *

Name: *

Email: *

Verification: *

An internal control audit has revealed a control deficiency related to a legacy system where the compensating controls no longer appear to be effective.
Which of the following would BEST help the information security manager determine the security requirements to resolve the control deficiency?

• A.Risk assessment
• B.Gap analysis
• C.Cost-benefit analysis
• D.Business case

Comment: *

Name: *

Email: *

Verification: *

When preparing a risk treatment plan, which of the following is the MOST important consideration when reviewing options for mitigating risk?

• A.Cost-benefit analysis
• B.Control identification
• C.Business impact analysis (BIA)
• D.User acceptance

Comment: *

Name: *

Email: *

Verification: *